Connect with us

The Online Technology

Millions of Canva users’ data stolen as GnosticPlayers strikes again – Naked Security

Security Watch

Millions of Canva users’ data stolen as GnosticPlayers strikes again – Naked Security


Is it true that most people only read the first four lines of email, as this Twitterer suggests?

If so, a cynic might assume, as did IT consultant Dave Hall, that the marketing department at a company that’s just suffered a massive data breach likely know that… and, hence, shoehorn in their own message at the top of the first breach notification they sent out.

The first breach notification sent out by Canva – the Sydney-based company behind the eponymous online design tool – let recipients know that on Friday 24 May 2019, it had discovered a breach while it was still in progress.

As soon as we were notified we immediately took steps to identify and remedy the cause and have reported the situation to authorities (including the FBI). We are very sorry for any concern or inconvenience this may cause.

… that is, Canva notified users that it had discovered a breach… after it told them about 1 million new free images and a new tool for printing t-shirts, that is.

A breach notice sent out later that same day was stripped of what Hall called “marketing crap.”

The breach

Canva didn’t mention how many records had been accessed but said that it involved users’ names and email addresses, along with passwords that had been salted and hashed with Bcrypt: a password-hashing function that’s considered to be secure.

This means that our user passwords remain unreadable by external parties.

ZDNet had more details: the hacker reportedly told the publication that he/she/they got away with data for roughly 139 million users. Since February 2019, the hacker(s), who goes by the alias GnosticPlayers, has listed for sale on the dark web a total of 932 million users’ data, stolen from 33 companies worldwide, according to ZDNet.

Real Life. Real News. Real Voices

Help us tell more of the stories that matter

Become a founding member

More stuff stolen

GnosticPlayers said that on 24 May, they’d downloaded everything up to 17 May 2019, and that Canva had detected the breach and closed down its database server.

Besides the stolen data types that Canva notified users about, the breach also involved real names and, where available, customers’ city and country information. There were 61 million hashed passwords stolen, as well.

Another breached data type was Google tokens – the tokens that enables users to sign up for the site without setting a password. ZDNet reports that out of the total 139 million affected users, 78 million of them had Gmail addresses associated with their Canva account. The dump included details for some of the site’s staff and admins, according to the 18,816-account slice the hacker shared.

Canva said in a statement that users’ credentials haven’t been compromised, as far as it can tell, but that for safety’s sake, users are being advised to reset their passwords:

We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution.

Busy, bad beavers

GnosticPlayers was in the headlines in March 2019, when the hacker(s) put up 26 million records for sale, stolen from six online companies. As we reported then, the first of what would turn out to be four data caches had gone up for sale in early February, when GnosticPlayers were trying to sell a database of 617 million records pilfered from 16 companies for $20,000.

Days later, Gnosticplayers added 127 million records stolen from eight websites, before adding a third round on 17 February comprising another 93 million from another eight sites.